Results 1  10
of
19
Cryptanalytic Attacks on Pseudorandom Number Generators
 FAST SOFTWARE ENCRYPTION, FIFTH INTERNATIONAL PROCEEDINGS
, 1998
"... In this paper we discuss PRNGs: the mechanisms used by realworld secure systems to generate cryptographic keys, initialization vectors, "random" nonces, and other values assumed to be random. We argue that PRNGs are their own unique type of cryptographic primitive, and should be analy ..."
Abstract

Cited by 57 (2 self)
 Add to MetaCart
In this paper we discuss PRNGs: the mechanisms used by realworld secure systems to generate cryptographic keys, initialization vectors, "random" nonces, and other values assumed to be random. We argue that PRNGs are their own unique type of cryptographic primitive, and should be analyzed as such. We propose a model for PRNGs, discuss possible attacks against this model, and demonstrate the applicability of the model (and our attacks) to four realworld PRNGs. We close with a discussion of lessons learned about PRNG design and use, and a few open questions.
DEAL  A 128bit Block Cipher
 NIST AES Proposal
, 1998
"... We propose a new block cipher, DEAL, based on the DES (DEA). DEAL has a block size of 128 bits and allows for three key sizes of 128, 192, and 256 bits respectively. Our proposal has several advantages to other schemes: because of the large blocks, the problem of the "matching ciphertext att ..."
Abstract

Cited by 28 (0 self)
 Add to MetaCart
We propose a new block cipher, DEAL, based on the DES (DEA). DEAL has a block size of 128 bits and allows for three key sizes of 128, 192, and 256 bits respectively. Our proposal has several advantages to other schemes: because of the large blocks, the problem of the "matching ciphertext attacks" is made small, and the encryption rate is similar to that of tripleDES. We conjecture that the most realistic (or the least unrealistic) attack on all versions of DEAL is an exhaustive search for the keys. We have suggested ANSI to include DEAL in the ANSI standard X9.52. We also suggest DEAL as a candidate for the NIST AES standard. 1 Introduction The DES (or DEA) [14] is a 64bit block cipher taking a 64bit key, of which 56 bits are effective. It is an iterated 16round cipher, where the ciphertext is processed by applying a round function iteratively to the plaintext. The DES has a socalled Feistel structure: in each round one half of the ciphertext is fed through a nonlinear f...
Second preimages on nbit hash functions for much less than 2^n work
"... We expand a previous result of Dean [Dea99] to provide a second preimage attack on all nbit iterated hash functions with DamgårdMerkle strengthening and nbit intermediate states, allowing a second preimage to be found for a 2 kmessageblock message with about k × 2 n/2+1 +2 n−k+1 work. Using RI ..."
Abstract

Cited by 26 (3 self)
 Add to MetaCart
We expand a previous result of Dean [Dea99] to provide a second preimage attack on all nbit iterated hash functions with DamgårdMerkle strengthening and nbit intermediate states, allowing a second preimage to be found for a 2 kmessageblock message with about k × 2 n/2+1 +2 n−k+1 work. Using RIPEMD160 as an example, our attack can find a second preimage for a 2^60 byte message in about 2^106 work, rather than the previously expected 2^160 work. We also provide slightly cheaper ways to find multicollisions than the method of Joux [Jou04]. Both of these results are based on expandable messages–patterns for producing messages of varying length, which all collide on the intermediate hash result immediately after processing the message. We provide an algorithm for finding expandable messages for any nbit hash function built using the DamgårdMerkle construction, which requires only a small multiple of the work done to find a single collision in the hash function.
Attacking Triple Encryption
, 1998
"... The standard technique to attack triple encryption is the meetinthemiddle attack. In this paper, more efficient attacks are presented. Compared to meetinthemiddle, our attacks either greatly reduce the number of single encryptions to be done, or somewhat reduce the overall number of steps. Es ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
The standard technique to attack triple encryption is the meetinthemiddle attack. In this paper, more efficient attacks are presented. Compared to meetinthemiddle, our attacks either greatly reduce the number of single encryptions to be done, or somewhat reduce the overall number of steps. Especially, about 2 108 steps of computation are sufficient to break threekey triple DES. If one concentrates on the number of single DES operations and assumes the other operations to be much faster, 2 90 of these are enough. We use this to compare the security of triple DES and DESX.
Improved generic algorithms for hard knapsacks
"... At Eurocrypt 2010, HowgraveGraham and Joux described an algorithm for solving hard knapsacks of density close to 1 in time Õ(20.337n) and memory Õ(20.256n), thereby improving a 30year old algorithm by Shamir and Schroeppel. In this paper we extend the HowgraveGraham– Joux technique to get an al ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
At Eurocrypt 2010, HowgraveGraham and Joux described an algorithm for solving hard knapsacks of density close to 1 in time Õ(20.337n) and memory Õ(20.256n), thereby improving a 30year old algorithm by Shamir and Schroeppel. In this paper we extend the HowgraveGraham– Joux technique to get an algorithm with running time down to Õ(20.291n). An implementation shows the practicability of the technique. Another challenge is to reduce the memory requirement. We describe a constant memory algorithm based on cycle finding with running time Õ(20.72n); we also show a timememory tradeoff.
On the Security of the 128Bit Block Cipher DEAL
, 1998
"... . DEAL is a DESbased block cipher proposed by Knudsen. The block size of DEAL is 128 bits, twice as much as the DES block size. The main result of the current paper is a certicational attack on DEAL192, the DEAL variant with a 192bit key. The attack allows a tradeo between the number of plaintext ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
. DEAL is a DESbased block cipher proposed by Knudsen. The block size of DEAL is 128 bits, twice as much as the DES block size. The main result of the current paper is a certicational attack on DEAL192, the DEAL variant with a 192bit key. The attack allows a tradeo between the number of plaintext/ciphertext pairs and the time for the attacker's computations. Nevertheless, the DEAL design principle seems to be a useful way of doubling the block size of a given block cipher. 1 Introduction The \data encryption standard" (DES) is the world's most well known symmetric cipher. Formally, the standard denes a 64bit key, but 8 bits are dened as \parity bits" and only 56 bits are actually used as the encryption key, i.e., the DES key size is 56 bits. Bruteforce attacks for recovering a key are feasible, today { and considered the only practical way of breaking DES. Thus, while the DES itself cannot be considered secure, it is still attractive to use it as a component for designing ano...
On the Security of Double and 2Key Triple Modes of Operation
 FAST SOFTWARE ENCRYPTION 1999
, 1999
"... The DES has reached the end of its lifetime due to its too short key length and block length (56 and 64 bits respectively). As we are awaiting the new AES, triple (and double) encryption are the common solution. However, several authors have shown that these multiple modes are much less secure than ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
The DES has reached the end of its lifetime due to its too short key length and block length (56 and 64 bits respectively). As we are awaiting the new AES, triple (and double) encryption are the common solution. However, several authors have shown that these multiple modes are much less secure than anticipated. The general belief is that these schemes should not be used, as they are not resistant against attacks requiring 2 64 chosen plaintexts. This paper extends the analysis by considering some more realistic attack models. It also presents an improved attack on multiple modes that contain an OFB mode and discusses practical solutions that take into account realistic constraints.
Cryptanalysis of TWOPRIME
, 1998
"... Ding et al [DNRS97] propose a stream generator based on several layers. We present several attacks. First, we observe that the nonsurjectivity of a linear combination step allows us to recover half the key with minimal eort. Next, we show that the various bytes are insuciently mixed by these la ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Ding et al [DNRS97] propose a stream generator based on several layers. We present several attacks. First, we observe that the nonsurjectivity of a linear combination step allows us to recover half the key with minimal eort. Next, we show that the various bytes are insuciently mixed by these layers, enabling an attack similar to those on twoloop Vigenere ciphers to recover the remainder of the key. Combining these techniques lets us recover the entire TWOPRIME key. We require the generator to produce 2 blocks (2 bytes), or 19 hours worth of output, of which we examine about one million blocks (2 23 bytes); the computational workload can be estimated at 2 operations. Another set of attacks trades o texts for time, reducing the amount of known plaintext needed to just eight blocks (64 bytes), while needing 2 time and 2 space. We also show how to break two variants of TWOPRIME presented in the original paper.
A Universal Encryption Standard
, 2000
"... DES and tripleDES are two wellknown and popular encryption algorithms, but they both have the same drawback: their block size is limited to 64 bits. While the cryptographic community is working hard to select and evaluate candidates and finalists for the AES (Advanced Encryption Standard) cont ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
DES and tripleDES are two wellknown and popular encryption algorithms, but they both have the same drawback: their block size is limited to 64 bits. While the cryptographic community is working hard to select and evaluate candidates and finalists for the AES (Advanced Encryption Standard) contest launched by NIST in 1997, it might be of interest to propose a secure and simple double blocklength encryption algorithm. More than in terms of key length and block size, our Universal Encryption Standard is a new construction that remains totally compliant with DES and tripleDES specifications as well as with AES requirements.